Mozilla urgently released Firefox 74.0.1 and Firefox ESR 68.6.1 to fix two errors in its memory space management style. The two vulnerabilities, CVE-2020-6819 and CVE-2020-6820, were rated “Severe.” This type of “user-after-free” vulnerability allows hackers to put code into Firefox’s memory and execute it in the context of the browser.
Security researcher Francisco Alonso discovered the two vulnerabilities, but did not report more details. Alonso said it was not clear whether the vulnerability had been exploited and that other browsers could be affected in a similar way, with more related messages to follow.
It is clear that the official priority is now to release the patch before further investigation is taken. All Firefox users are advised to update the fix as soon as possible.
This is the second time this year that Mozilla has made a 0day bug fix at Firefox. In January, with the release of Firefox v72.0.1, it fixed another bug that had targeted users in China and Japan.